23

From What are the iptables rules to permit ntp?:

iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

Also, from the NTP website:

... ntpd requires full bidirectional access to the privileged UDP port 123. ...

My question is, why? To someone not familiar with NTP, this seems like a potential security hole, especially when I'm asking a client of mine to open up that port in their firewall so that my servers can keep their time synchronised. Does anyone have a decent justification I can give to my client to convince them that I need this access in the firewall? Help is appreciated! :)

Community
  • 1
Dawngerpony
  • 423

4 Answers4

14

You only need allow incoming traffic NTP's ports if you are acting as a server, allowing clients to sync to you.

Otherwise, the existance of an NTP state will automatically determine whether the incoming NTP packet is blocked or allowed by an existing firewall state that we initiated.

iptables -A OUTPUT -p udp --sport 123 --dport 123 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Please let me know if the iptables rules are proper. I have no experience with iptables. My NTP client stays synchronized on my pfSense router with only an outgoing allow rule because pfSense is a stateful firewall.

Ben Cook
  • 316
6

NTP requires bi-directional access on port 123 because the NTP RFC specifies the following regarding the source port of the client:

When operating in symmetric modes (1 and 2), this field must contain the NTP port number PORT (123) assigned by the IANA.

Since the client's source port is 123, when the server sends the response back it'll send it to port 123. Naturally, in order to be able to receive that response the client must allow incoming responses on port 123. Normally responses would come back on some ephemeral port range.

As Ben Cook mentioned above, this is only required when dealing with a stateless firewall as a stateful firewall would allow the response to come back without an explicit rule.

Community
  • 1
Gurpreet Atwal
  • 61
-1

I think that the best solution is to enable port 123 for input, only for the ip addresses expected to give your server the ntp signal.
Inside the ntp config file, /etc/ntp.conf, there are the addresses of several ntp servers your server should point on. You may use the lookup command to find the corresponding ip for each address.

host -t a 0.debian.pool.ntp.org

Then you can add the rule to the server firewall:

iptables -I INPUT -p udp -s 94.177.187.22 -j ACCEPT

...and so on.
This may prevent any malicious person to damage your server.
I think it is no use restricting the output.

Leonardo Gugliotti
  • 1
-2

ntp server to server communication is source and destination port 123. It is most convenient to explicitly allow that at least to the hosts on which you are running a ntp service.

You might consider only exposing an external host to the Internet to get time from outside sources. An internal ntp service syncing to this can be the source for all devices. If these hosts are dedicated to the purpose the possible exposure is limited: they only accept ntp traffic and do not store other data.

Alternately, do not use an external IP network at all. Use a radio source like GPS for time, for example.

http://www.diablotin.com/librairie/networking/firewall/ch08_13.htm http://support.ntp.org/bin/view/Support/TroubleshootingNTP

John Mahowald
  • 212